Nmap Development mailing list archives

NSE: Packet retransmit breaking rdp-ntlm-info #1682

From: Tom Sellers <nmap () fadedcode net>
Date: Sat, 10 Aug 2019 15:24:29 -0500

All,
  I'm tossing a copy of GitHub issue #1682 ( https://github.com/nmap/nmap/issues/1682 ) here so that more people may 
see it.

Copied from the issue:

I've seen some reports, which I was able to reproduce, that rdp-ntlm-info didn't work against Windows 7. While testing I noticed that some of the packets were being sent twice which was breaking theprotocol negotiation. This seems to happen when scanning with -sS but not -sT.


This appears to be an issue with Nmap or NSE and how raw packets are handled.

You can observe the retransmission using Wireshark / tcpdump.

Reproduce error

sudo nmap -sS --script rdp-ntlm-info -p 3389  -n   target_ip


Workaround

sudo nmap -sT --script rdp-ntlm-info -p 3389  -n   target_ip


When running with --packet-trace I only see Nmap send the packet once (in the output) in either case.

If you view the traffic with Wireshark you can see that it is re-transmitted.

In the image linked below Packet 15 is the original, packet 16 is the retransmission:
https://user-images.githubusercontent.com/6500426/62826433-14768e00-bb81-11e9-8f05-24b17fe265dc.png



I was able to create a simple reproducer which removes the protocol from the equation.

Command

sudo nmap -sS --script +test -p 3389 target_ip

Script named 'test.nse'

local nmap = require "nmap"
local stdnse = require "stdnse"
local shortport = require "shortport"

categories = {"safe"}

portrule = shortport.port_or_service("3389", "ms-wbt-server")

action = function( host, port )

  socket = nmap.new_socket()
  socket:set_timeout(5000)
  if ( not(socket:connect(host, port)) ) then
    return false, "Failed connecting to server"
  end

  local status, err = socket:send("If a packet hits a pocket on a socket on a port..")
  if ( not(status) ) then
    return false, err
  end

  stdnse.debug1("Sent, now waiting...")
  _, data = socket:receive()

  stdnse.debug1("Closing")
  socket:close()
  return data
end


Environment

$ nmap --version
Nmap version 7.70SVN ( https://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: nmap-liblua-5.3.5 openssl-1.1.1 libssh2-1.8.0 libz-1.2.11 nmap-libpcre-7.6 libpcap-1.8.1 
nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

Linux sammich 5.0.0-23-generic #24~18.04.1-Ubuntu SMP Mon Jul 29 16:12:28 UTC 2019 x86_64 x86_6


- Tom
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

NSE: Packet retransmit breaking rdp-ntlm-info #1682 Tom Sellers (Aug 10)
- Re: NSE: Packet retransmit breaking rdp-ntlm-info #1682 (Not just rdp-ntml-info but all NSE scripts) Paulino Calderon (Aug 11)